Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)

🗓️ 08 Aug 2016 00:00:00Reported by Nabeel AhmedType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 84 Views

Privilege Escalation in Windows 7 via Group Polic

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)
8 Aug 201600:00
zdt
Circl		CVE-2016-3223
8 Aug 201600:00
circl
CNVD		Microsoft Windows Group Policy Elevation of Privilege Vulnerability
16 Jun 201600:00
cnvd
CVE		CVE-2016-3223
16 Jun 201601:00
cve
Cvelist		CVE-2016-3223
16 Jun 201601:00
cvelist
exploitpack		Microsoft Windows 7 (x86x64) - Group Policy Privilege Escalation (MS16-072)
8 Aug 201600:00
exploitpack
Microsoft KB		MS16-072: Description of the security update for Group Policy: June 14, 2016
14 Jun 201607:00
mskb
Microsoft KB		Cumulative update for Windows 10: June 14, 2016
16 Jun 201607:00
mskb
Microsoft KB		Cumulative Update for Windows 10 version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
16 Jun 201607:00
mskb
Microsoft KB		MS16-072: Security update for Group Policy: June 14, 2016
14 Jun 201600:00
mskb
Rows per page
# Exploit Title: Group Policy Elevation of Privilege Vulnerability
# Date: 08-08-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64)
# CVE : CVE-2016-3223
# Category: Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials)
SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies.

1) Prerequisites:
			- Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local)
			- Domain User Credentials are known with no Administrative rights.
			- Computer has to be connected on a network.
			- Fake Domain Controller
			
2) Reproduce:
	STEP 1: Determine domain of the target computer (e.g. domain.local)
	STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
	STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
	STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!).
	STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials).
	STEP 6: Establish network connection between the target system and the newly created Domain Controller.
	STEP 7: Create a Group Policy called "Create Local Admin"
	STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators".
	STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force"
	STEP 10: User Policy update will complete successfully.
	STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators"
	STEP 12: "TestAdmin" user will be member of the Administrators group.
	
3) Impact:
	A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller

4) Solution:
	Install the latest patches from 14-06-2016 using Windows Update.

5) References:
	https://technet.microsoft.com/en-us/library/security/ms16-072.aspx
	https://support.microsoft.com/en-us/kb/3163622

6) Credits:
	Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and  Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Aug 2016 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 38.1
CVSS 29.3
EPSS0.54795
windows 7group policyprivilege escalationdomain controllervulnerabilityuser configurationfake domainadministrator accountactive directorypatchcve-2016-3223dimension data
84